Most people know the difference between a website that is completely insecure and unencrypted and one that offers an encrypted session for security. You simply look for whether the URL starts with HTTP and the address bar displays an open padlock, or the URL starts with HTTPS and shows a locked padlock. Within the realm of secure websites, though, not all certificates are created equally. An extended validation certificate — EV certificate, for short — provides a more in-depth validation process than other certificates and may foster more trust from customers as well.
The difference between an EV certificate and other certificates lies in the verification required to obtain one. Traditional certificates can be acquired by providing organizational information or verifying admin rights of the target domain. On many occasions, though, attackers have found ways to circumvent or subvert the verification process and obtain fraudulent certificates using those methods. The verification process for an EV certificate requires proof that the requesting entity is, in fact, the legal identity that owns and manages the target domain.
According to Wikipedia, the vetting process for an EV certificate involves a number of additional validation steps: “These include manual checks of all the domain names requested by the applicant, checks against official government sources, checks against independent information sources, and phone calls to the company to confirm the position of the applicant. If the certificate is accepted, the government-registered serial number of the business as well as the physical address are stored in the EV certificate.”
As attackers have grown more savvy and adapted to the expectation that a website run over HTTPS and have the padlock indicating that it’s secure, they’ve found ways to game the system and create fraudulent or phishing websites that appear to be secure.
Websites with EV certificates show up differently in browsers with EV support, which includes Microsoft Edge, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari. In most implementations, websites with EV certificates include more advanced details about the website and the entity behind it, such as the name of the company that owns the certificate and a bar or text that is distinct—usually green—for easy visual verification of a valid EV certificate.
We’d like to know more about how important secure websites are to you, and whether you know—or would notice—the difference between a website using a traditional certificate and a website using the more secure EV certificate. Please invest five minutes of your time to take a quick survey and help us learn more about the value of EV certificates when it comes to your level of trust online.
Click here to begin the survey.